In using Apache 'Prefork' MPM mode, Policy Server output HandShake Errors.


Article ID: 6353


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


When accessing by multi threads per second, Policy Server output HandShake Errors as below.


[4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1974][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3152 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1981][ERROR][sm-Tunnel-00030] Handshake error: Failed to receive client hello. Socket error 0 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:2147][ERROR][sm-Server-01070] Failed handshake with


This issue is related to Apache 'Prefork' mode.

In 'Prefork' mode, a single control process is responsible for launching child processes which listen for connections and serve them when they arrive.

Apache httpd always tries to maintain several spare or idle server processes, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new child processes to be forked before their requests can be served.As this working, several idle processes are likely to be existing.

By this reason, Policy Server try to close idle sockets and send RST packets to WebAgent, this occur connection issue between WebAgent and Policy Server.


Component: SMPLC


Either of following resolutions.

1. Work as 'Worker' MPM mode.

A single control process (the parent) is responsible for launching child processes. Each child process creates a fixed number of server threads as specified in the ThreadsPerChild directive, as well as a listener thread which listens for connections and passes them to a server thread for processing when they arrive.Apache HTTP Server always tries to maintain a pool of spare or idle server threads, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new threads or processes to be created before their requests can be served. 

2. Increase 'idletimeout' value (default 10 minutes) at Policy Server side in smconsole.


Additional Information


Very frequent handshake errors: